[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Trouble Verifying the XML Digest
Scott, I am currently canonicalizing the XML before I hash it with SHA1. The library I'm using is XMLCanonicalizer Version 1.01, which I am getting from a ruby gem. This is patched from the original release based on the SAML2Ruby library published by Sun. Here is the code that I'm using. Thanks for you help. # remove signature node sig_element = XPath.first(@xmldocument, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) sig_element.remove #check digests logger.info("checking digests") if !logger.nil? XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref | uri = ref.attributes.get_attribute("URI").value logger.info("URI = " + uri[1,uri.size]) if !logger.nil? hashed_element = XPath.first(self, "//[@ID='#{uri[1,uri.size]}']") logger.info("hashed element = " + hashed_element.to_s) if !logger.nil? canoner = XML::Util::XmlCanonicalizer.new(false, true) canon_hashed_element = canoner.canonicalize_element(hashed_element) logger.info("canon hashed element = " + canon_hashed_element) if !logger.nil? hash = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp digest_value = XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text logger.info("hashed_element_hash = " + hash) if !logger.nil? logger.info("digest_value_element = " + digest_value) if !logger.nil? valid_flag = hash == digest_value return valid_flag if !valid_flag end -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: Wednesday, December 16, 2009 10:17 PM To: Mark Fruhling; saml-dev@lists.oasis-open.org Subject: RE: [saml-dev] Trouble Verifying the XML Digest Mark Fruhling wrote on 2009-12-16: > It's my understanding that the digest should be the > assertion => SHA-1 Hashed => Base 64 encoded. To a degree, but that grossly oversimplifies how you verify an XML Signature, specifically the "assertion => hash" part. That requires XML Canonicalization. You can't just feed the XML directly into a hash, there's virtually no chance you'll end up with the same octets. (Maybe you know that, but when people ask questions like that, they usually don't.) -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]